An actor of the North Korean aligned threat has targeted job seekers in the cryptography industry with new malicious software designed to steal passwords for cryptographic wallets and password managers.
Cisco Talos reported on Wednesday that he had found a new Trojan horse (RAT) to the distance access to Python he called “Pylangghost”, connecting the malware to a piracy collective affiliated to North Korea called “Famous Chollima”, also known as “Watemole”.
The hacking group has targeted job seekers and employees with cryptocurrency and blockchain experience, mainly in India, attacks by false work interview campaigns using social engineering.
“Based on the announced positions, it is clear that the famous Chollima is widely targeting individuals with previous experience in cryptocurrency and blockchain technology.”
False work sites and test coverage for malware
The attackers create fraudulent employment sites that pretend to be legitimate companies, such as Coinbase, Robinhood and United, and the victims are guided through a process in several stages.
This includes the initial contact of false recruiters who send invitations to skills testing websites where information collection occurs.
Then, the victims are attracted to allow video access and cameras for false interviews during which they are led to copy and execute malicious commands under the pretension to install updated video pilots, resulting in the compromise of their device.
Crypto portfolio payroll target
Pylangghost is a variant of the Golangghost Rat previously documented and sharing similar features, said Cisco Talos.
During execution, commands allow a remote control of the infected system and the flight of cookies and identification of more than 80 browser extensions, he reported.
These include password managers and cryptocurrency portfolios, notably Metamask, 1Password, Nordpass, Phantom, Bitski, Initial, Tronlink and Multifoven.
Multitasking malware
Malware can perform other tasks and run many commands, including screenshots, managing files, stealing browser data, collecting system information and maintaining remote access to infected systems.
In relation: The crooks use false crypto work, the “Grasscall” meeting application to drain the wallets
The researchers also noted that it was unlikely that threat actors will use a large language model of artificial intelligence to help write the code, based on the comments made inside.
False braids are not new
This is not the first time that pirates linked to North Korea have used false jobs and interviews to attract their victims.
In April, pirates linked to $ 1.4 billion backs targeted crypto developers using false recruitment tests infected with malware.
Review: Arthur Hayes does not care when his Bitcoin predictions are completely wrong
